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REMARKS 



In response to the action of May 28, 2008, applicants ask that all pending claims be 
allowed in view of the amendments to the claims and the following remarks. 

Claims 1-4, 7-1 1, 13-16 and 19-20 are currently pending, of which claims 1, 8 and 13 are 
independent. Claims 1-4, 7-1 1, 13-16 and 19-20 have been amended to recite that user access is 
limited to attribute(s) specified in a permission object. Claims 5-6, 12 and 17-18 are being 
canceled without prejudice. No new matter has been introduced. 

Claims 1-4, 7-1 1, 13-16 and 19 have been rejected as being anticipated by U.S. Patent 
No. 6,578,037 (Wong). This rejection is rendered moot by the above amendments and 
cancellations, but Applicants are not conceding that the rejections have merit. 

Moreover, Applicant respectfully submits that Wong does not describe or suggest all of 
the features recited by independent claims 1 , 8 and 1 3 as amended. For example, and as 
described more fully below, Wong does not disclose the claimed attribute access group having 
one or more attributes of the multiple attributes associated with the data object type, the claimed 
attribute value group having one or more values associated with the one or more attributes in the 
attribute access group, the claimed determination that at least one attribute of the data object that 
the user seeks to access corresponds to an attribute of the attribute access group of the permission 
object, the claimed determination that a value of an attribute of one of the multiple attributes 
associated with the data object is consistent with the value of the attribute of the attribute value 
group, or the claimed determination that the user is permitted to access the attribute sought to be 
accessed and not permitted to access any other of the multiple attributes not corresponding to the 
attribute of the attribute access group, as recited by claims 1 and 8. 

Claim 1 recites a computer-readable medium having embodied thereon a computer 
program configured to determine whether a user is permitted to access a business object when 
executing a software application of an enterprise information technology system. The medium 
includes one or more code segments configured to: 

use a permission object to determine whether a user associated with an entry in 
user information is permitted to access at least part of a data object associated with a data 
object type, wherein: 

the entry in the user information associates the user with a user affiliation, 
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the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data 
object type is associated with multiple attributes and each data object having the 
data object type is associated with the multiple attributes, 

a permission attribute identifying one of the multiple attributes, 

a permission value for the permission attribute, 

an attribute access group having one or more attributes of the multiple 
attributes associated with the data object type, and 

an attribute value group having one or more values associated with the one 
or more attributes in the attribute access group, and 

wherein upon determination that (1) the user affiliation that is associated with the 
user is the same user affiliation as the user affiliation to which the permission 
object applies, (2) the data object type of the data object is the same data object 
type as the data object type to which the permission object applies, (3) a value of 
an attribute of the multiple attributes associated with the data object is consistent 
with the permission value of the permission attribute and the attribute corresponds 
to the permission attribute, (4) at least one attribute of the data object that the user 
seeks to access corresponds to an attribute of the attribute access group of the 
permission object, and (5) a value of an attribute of one of the multiple attributes 
associated with the data object is consistent with the value of the attribute of the 
attribute value group, the user is permitted to access the attribute sought to be 
accessed and not permitted to access any other of the multiple attributes not 
corresponding to the attribute of the attribute access group. 

Wong teaches "Access to the [entire] database schema object" (Wong [col. 4, line 32]). 
However, Wong does not limit access to "the attribute sought" while "not [permitting] access to 
any other of the multiple attributes not corresponding to the attribute of the attribute access 
group." Specifically, Wong does not teach: wherein upon determination that (4) at least one 
attribute of the data object that the user seeks to access corresponds to an attribute of the attribute 
access group of the permission object, and (5) a value of an attribute of one of the multiple 
attributes associated with the data object is consistent with the value of the attribute of the 
attribute value group, the user is permitted to access the attribute sought to be accessed and not 
permitted to access any other of the multiple attributes not corresponding to the attribute of the 
attribute access group. 
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Accordingly, applicant respectfully requests reconsideration and withdrawal of the 
rejection of claim 1 and its pending dependent claims 2-4 and 7. 

Independent claim 8, although different in scope from claim 1, recites features similar of 
those in claim 1 discussed above. Accordingly, applicant respectfully requests reconsideration 
and withdrawal of the rejection of claim 8 and its dependent claims 9-11. 

Independent claim 13 recites a computer system for determining whether a user is 
permitted to access at least part of a data object when executing a software application of an 
enterprise information technology system. The system includes a data repository for access 
control information for software and an executable software module. The data repository has 
data objects, where each data object (1) being associated with a data object type having multiple 
attributes, (2) having multiple attributes that are the same as the multiple attributes of the data 
object type to which the data object is associated, and (3) having a value associated with each 
attribute of the multiple attributes. 

The data repository includes: 

user information that associates a user affiliation with a user of the 
software application, and 

permission information having multiple permission objects, each 
permission object identifying a user affiliation to which the permission object 
applies, a data object type to which the permission object applies, a permission 
attribute identifying one of the multiple attributes, a permission value for the 
permission attribute, and an attribute access group having one or more attributes 
of the multiple attributes associated with the data object type, and an attribute 
value group having one or more values associated with the one or more attributes 
in the attribute access group. 

The executable software module causes: 

a comparison of a value of an attribute of the multiple attributes 
associated with a data object to which a user seeks to access such that the 
attribute corresponds to the permission attribute of a permission object with the 
permission value of the permission object, 

a comparison of at least one attribute of the data object that the user 
seeks to access such that the attribute corresponds to an attribute of the attribute 
access group of the permission object, ' 

a comparison of a value of an attribute of one of the multiple attributes 
associated with the data object such that the value is consistent with the value of 
the attribute of the attribute value group, and 

an indication that a user is permitted to access the attribute sought to be 
accessed and not permitted to access any other of the multiple attributes not 
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corresponding to the attribute of the attribute access group when (1) the value of 
the attribute associated with the data object is consistent with the permission 
value of the permission object, (2) at least one attribute of the data object that the 
user seeks to access corresponds to an attribute of the attribute access group of 
the permission object, and (3) a value of an attribute of one of the multiple 
attributes associated with the data object is consistent with the value of the 
attribute of the attribute value group. 

In contrast and as noted above, Wong teaches the use of a permission object (i.e., "policy 
group should limit a user's access to data" - Wong, Col. 6, lines 51-52) to determine whether a 
user associated with an entry in user information is permitted to access a data object associated 
with a data object type (Wong, objects 218 and 224 [figure 2]). However, Wong is silent on a 
comparison of at least one attribute of the data object that the user seeks to access such that the 
attribute corresponds to an attribute of the attribute access group of the permission object and a 
comparison of a value of an attribute of one of the multiple attributes associated with the data 
object such that the value is consistent with the value of the attribute of the attribute value group. 
Wong is further silent on the executable software module causing an indication that a user is 
permitted to access the attribute sought to be accessed and not permitted to access any other of 
the multiple attributes not corresponding to the attribute of the attribute access group when (1) 
the value of the attribute associated with the data object is consistent with the permission value 
of the permission object, (2) at least one attribute of the data object that the user seeks to access 
corresponds to an attribute of the attribute access group of the permission object, and (3) a 
value of an attribute of one of the multiple attributes associated with the data object is consistent 
with the value of the attribute of the attribute value group. More specifically, instead of limiting 
access to "the attribute sought" and "not [permitting] access to any other of the multiple 
attributes not corresponding to the attribute of the attribute access group," Wong grants "Access 
to the [entire] database schema object" (Wong [col. 4, line 32]). 

Accordingly, for at least the reasons discussed above with respect to claim 1 , applicant 
respectfully requests reconsideration and withdrawal of the rejection of claim 13 and its 
dependent claims 14-16. 

Applicants further request reconsideration and withdrawal of the rejection of claims 19 
and 20 for the same reasons as cited above for independent claims 1, 8 and 13. 



Applicant submits that all pending claims are in condition for allowance. 
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It is believed that all of the pending issues have been addressed. However, the absence of 
a reply to a specific rejection, issue or comment does not signify agreement with or concession 
of that rejection, issue or comment. In addition, because the arguments made above may not be 
exhaustive, there may be reasons for patentability of any or all pending claims (or other claims) 
that have not been expressed. Finally, nothing in this reply should be construed as an intent to 
concede any issue with regard to any claim, except as specifically stated in this reply, and the 
amendment of any claim does not necessarily signify concession of unpatentability of the claim 
prior to its amendment. 

The fee in the amount of $490 for the two-month extension of time is being paid 
concurrently herewith on the Electronic Filing System (EFS) by way of Deposit Account 
authorization. Please apply any other charges or credits to Deposit Account No. 06-1050. 
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